demo | 2023-11-02 · NEW: ![]() |
|
abstract:
Documento annotato il 02.11.2023
Fonte: org.uk
Link: https://ico.org.uk/media/action-weve-taken/mpns/40
Link: https://ico.org.uk/media/action-weve-taken/mpns/40
analisi:
L'analisi è riservata agli iscritti. Segui la newsletter dell'Osservatorio oppure il Podcast iscrizione gratuita 30 giorni
index:
testo:
Eestimated reading time: 23 min 1
DATA PROTECTION ACT 1998
SUPERVISORY POWERS OF THE INFORMA ...
TION COMMISSIONER
MONETARY PENALTY NOTICE
To: Digivo Media Limited
Of: Office One, 1 Coldbath Square, London, EC1R 5HL
1. The Information Commissioner (“the Commissioner”) has decided to
issue Digivo Media Limited (“Digivo”) with a monetary penalty under
section 55A of the Data Protection Act 1998 (“DPA”). The penalty is in
relation to a serious contravention of Regulation 22 of the ....... and
Electronic Communications (EC Directive) Regulations 2003 (“PECR”).
2. This notice explains the Commissioner’s decision.
Legal framework
3. Digivo, whose registered office is given above (Companies House
Registration Number: 12806848) is the organisation stated in this
notice to have transmitted and instigated the transmission of
unsolicited communications by means of electronic mail to individual
subscribers for the purposes of direct marketing contrary to regulation
22 of PECR.
4. Regulation 22 of .... states:
3
5. Section 122(5) of the Data Protection Act 2018 “DPA18” defines direct
marketing as “ the communication (by whatever means) of advertising
or marketing material which is directed to particular individuals ”. This
definition also applies for the purposes of .... (see regulation 2(2)
PECR and paragraphs 430 & 432(6) to Schedule 19 of the DPA18).
6. From 1 January 2021, ....... .. .... has been defined by reference
to the concept of ....... .. ... .. .... as defined in section 3(10) of
the ... 2018 [1]
: see regulation 2(1) of PECR, as amended by Part 3 of
Schedule 3, paragraph 44 of The Data Protection, ....... and
Electronic Communications (Amendments etc) (EU Exit) Regulations
2019/419. Article 4(11) of the UK .... sets out the following
definition: “ ‘consent’ of the data subject means any freely given,
specific, informed and unambiguous indication of the data subject's
wishes by which he or she, by a statement or by a clear affirmative
action, signifies agreement to the .......... of personal data relating
to him or her ”.
7. “Individual” is defined in regulation 2(1) of .... as “a living individual
and includes an unincorporated body of such individuals ”.
8. A “subscriber” is defined in regulation 2(1) of .... as “ a person who is
a party to a contract with a provider of public electronic
communications services for the supply of such services ”.
9. “Electronic mail” is defined in regulation 2(1) of .... as “ any text,
voice, sound or image message sent over a public electronic
communications network which can be stored in the network or in the
[1] The UK .... is therein defined as Regulation (EU) 2016/679 of the European Parliament and of the Council of 27
April 2016 (“GDPR”) as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue
of section 3 of the European Union (Withdrawal) Act 2018.
4
recipient’s terminal equipment until it is collected by the recipient and
includes messages sent using a short message service ”.
10. The term "soft opt-in" is used to describe the rule set out in in
Regulation 22(3) of PECR. In essence, an organisation may be able to
e-mail its existing customers even if they haven't specifically consented
to electronic mail. The soft opt-in rule can only be relied upon by the
organisation that collected the contact details.
11. Section 55A of the ... (.. ....... .. .... cases by Schedule 1 to
PECR, as variously amended) states:
“(1) The Commissioner may serve a person with a monetary penalty if the Commissioner is satisfied that –
(a) there has been a serious contravention of the requirements of the ....... and Electronic Communications (EC
Directive) Regulations 2003 by the person,
(b) subsection (2) or (3) applies.
(2) This subsection applies if the contravention was deliberate.
(3) This subsection applies if the person –
(a) knew or ought to have known that there was a risk that the
contravention would occur, but
(b) failed to take reasonable steps to prevent the
contravention.”
12. The Commissioner has issued statutory guidance under section 55C (1)
of the ... about the issuing of monetary penalties that has been
published on the ICO’s website. The Data Protection (Monetary
Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe
that the amount of any penalty determined by the Commissioner must
5
not exceed £500,000.
13. .... were enacted to protect the individual’s fundamental right to
privacy in the electronic communications sector. .... were
subsequently amended and strengthened. The Commissioner will
interpret .... in a way which is consistent with the Regulations’
overall aim of ensuring high levels of protection for individuals’ .......
rights.
14. The provisions of the ... ...... .. ..... ... ... ........ .. ....
notwithstanding the introduction of the DPA18: see paragraph 58(1) of
Schedule 20 to the DPA18.
Background to the case
15. Digivo was incorporated on 11 August 2020 and the registered address
is Office One, 1 Coldbath Square, London, EC1R 5HL. There is one
director appointed, Sebastian Powdrill.
16. Digivo trades as Rid My Debt. Individuals use the Rid My Debt website
to help find debt solutions by inputting their personal information and
details of their outstanding debts; their information is then passed to
Digivo’s panel of debt service finders and providers so that these third
parties can offer debt management solutions.
17. Mobile users can report the receipt of unsolicited marketing text
messages to the Mobile UK’s Spam Reporting Service by forwarding the
6
message to 7726 (spelling out “SPAM”). Mobile UK is an organisation
that represents the interests of mobile operators in the UK. The
Commissioner is provided with access to the data on complaints made
to the 7726 service and this data is used to ascertain organisations in
breach of PECR.
18. Digivo came to the ICO’s attention following a review of debt
management complaints received via the SPAM reporting tool.
19. Complaints research by the Commissioner indicated that 943 spam text
reports about Digivo had been submitted to 7726, as well as one
complaint submitted to the ... directly. The text message scripts were
as follows:
NAME, new laws mean you can write off debts you cannot afford to
repay. Stop creditor action. https://cutt.ly/RidMyDebt for FREE pack.
STOP?07520648329
NAME, credit records show you can write off 75% of your debt. Freeze
Interest. Visit https://cutt.ly/RidMyDebt for FREE advice.
STOP?07520648329
20. These messages constituted marketing as they encouraged individuals
to go to the Rid My Debt website to get a “free pack” or “free advice”,
which represented the promotion of Digivo’s products and services
through the Rid My Debt website.
21. On 8 September 2021, an investigation letter was sent to Digivo via
email. The letter outlined the Commissioner’s concerns about
compliance with the PECRs, and the powers available to the ICO. It
also asked a range of questions, including the volume of marketing
7
messages sent and delivered over the period 7 September 2020 to 7
September 2021, the source of the data, and evidence of .......
relied on by Digivo to send the marketing messages. An index of the
944 complaints was also provided and Digivo was asked to provide an
explanation for the complaints.
22. On 29 September 2021, Sebastian Powdrill, sole director of Digivo,
provided a response to the investigation letter. He stated that:
479,017 text messages had been sent, of which 415,041 had
been delivered, over the period 7 September 2020 to 7
September 2021.
Digivo was both the instigator and the sender of the text
messages.
Personal data was obtained from Digivo’s website,
www.ridmydebt.co.uk; no other sources were used.
The text messages were sent with the purpose of legitimate
interest relating to debt concern.
Digivo relied on a check box which data subjects must tick for
consent to contact the individuals by text message.
Digivo had an SMS schedule where once a week customers who
expressed their ....... would be messaged in the interests of
re-marketing.
23. The Commissioner notes this response did not make it clear what
justification Digivo were relying on to send the marketing messages,
since both ....... and legitimate interests were referenced. Mr
Powdrill stated that Digivo sent the data “with the purpose of legitimate
interest” but also that the data collection box includes “a check box
where the customer agrees to give their ....... to receive email, SMS
and telephone communication”.
8
24. When the Commissioner examined Divigo's ....... policy, it appeared
that Digivo relied on consent:
“You will receive marketing communications from us if you have
consented to received (sic) information for products and services from
us.”
25. In Digivo's response it was confirmed that marketing text messages
were first sent on 24 March 2021. The start of the contravention period
was necessarily adjusted from 7 September 2020 to 24 March 2021.
The full contravention period is therefore 24 March 2021 to 7
September 2021, a period of just under six months.
26. Digivo also stated:
“We only send out marketing communication in alignment with
legitimate interests, this way we can ensure the customer only sees
what service they are interested in.”
27. From this response it appeared that Digivo relied on legitimate
interests to send marketing messages, which contrasts with the
information provided to individuals in Digivo’s ....... policy. However,
in order to send the marketing messages in compliance with Regulation
22, Digivo would need to have relied on ....... or the soft opt-in.
28. Digivo provided a screenshot of the data collection form relied on to
justify sending marketing messages to data subjects. However, this
form asked individuals to “agree”, rather than giving individuals the
option to opt out. Digivo stated:
9
“The customer agrees to give their ....... to receive email, SMS and
telephone communication and agrees to our ....... policy and our
terms and conditions.”
29. The Commissioner asked Digivo whether customers would be able to
click the “write off my debt!” box without ticking the “I agree” tick box.
Initially, Digivo stated:
“It was always the case that you could submit an application without
ticking the tick box. However, upon checking this again now I can see it
won’t let you submit the form without ticking the box."
30. Further, Digivo explained:
“There is no way someone buying that lead can provide their debt
solution service without that box being ticked i.e. being able to contact
the customer."
31. Therefore, it appeared that whilst the tick box asked individuals to
consent to being contacted by a trusted debt solution provider, it did
not actually give customers any other choice but to consent. As such,
any ....... ........ .. .... ... ... ......., .. ... ....... had been
made a pre-condition of service and customers were not given any
genuine choice.
32. With regards to the volume of text messages sent and delivered in
contravention of the PECR, Digivo explained that:
“At the point of application we will not make any contact to the
applicant only our partners will contact them directly.
10
The messages sent only relate to marketing only and not
transactional.”
33. This indicated that, of the 479,017 messages sent, none of those were
solicited messages sent directly in response to the submission of a loan
application; nor were any of the messages included in this figure
service messages.
34. Therefore, the Commissioner was able to conclude that 479,017
unsolicited marketing messages were sent in contravention of the ....
over the course of just under six months, of which 415,041 were
delivered.
35. Following further investigation into various types of trading styles in
the industry, a link was found between Digivo and the trading style
' '. Digivo confirmed this:
“We have a relationship with […] We used this sender name
because we felt like it gave the simplest description on what service we
offer.”
36. Digivo confirmed that the messages were included in the
volume of messages described in paragraph 34, so this volume did not
increase. There were 452 ‘ ’ complaints over the contravention
period, increasing the total number of complaints received to 1,396.
37. The Commissioner has made the above findings of fact on the
balance of probabilities.
38. The Commissioner has considered whether those facts constitute
a contravention of regulation 22 of .... by Digivo and, if so, whether
the conditions of section 55A ... are satisfied.
11
The contravention
39. The Commissioner finds that Digivo contravened regulation 22 of PECR.
40. The Commissioner finds that the contravention was as follows:
41. The Commissioner finds that between 24 March 2021 and 7 September
2021 there were 415,041 direct marketing SMS received by individuals.
The Commissioner finds that Digivo transmitted and instigated the
transmission of those direct marketing messages, contrary to
regulation 22 of PECR.
42. Digivo, as the sender and instigator of the direct marketing, is required
to ensure that it is acting in compliance with the requirements of
regulation 22 of PECR, and to ensure that valid ....... to send those
messages had been acquired.
43. For ....... to be valid it is required to be “freely given”, by which it
follows that if ....... to marketing is a condition of subscribing to a
service, the organisation will have to demonstrate how the ....... can
be said to have been given freely. Digivo relied on a statement which
must be ticked to proceed with the application, meaning that the
consent obtained was not freely given.
44. ....... is also required to be “specific” as to the type of marketing
communication to be received, and the organisation, or specific type of
organisation, that will be sending it. In this instance, the statement
asked individuals to ....... to receiving email, telephone, and SMS,
with no option to pick between the communication channels. This
meant the ....... obtained by Digivo was not specific.
12
45. ....... will not be “informed” if individuals do not understand what
they are consenting to. Organisations should therefore always ensure
that the language used is clear, easy to understand, and not hidden
away in a ....... ...... .. ..... ...... ....... will not be valid if
individuals are asked to agree to receive marketing from “similar
organisations”, “partners”, “selected third parties” or other similar
generic description. In this instance, the statement does not reference
marketing at all and only stated that individuals would be contacted by
third party debt solution providers, not that the individual would
receive further contact from Digivo, so the ....... obtained was not
informed.
46. With regards to relying on the soft opt-in, Digivo would have needed to
provide individuals with the chance to opt out of future marketing at
the point of collecting their personal data; this opportunity was not
provided, therefore Digivo were unable to rely on the soft opt-in to
justify sending unsolicited marketing messages.
47. The Commissioner is therefore satisfied from the evidence he has seen
that Digivo did not have the necessary valid ....... for the 415,041
direct marketing messages received by individual subscribers.
48. The Commissioner has gone on to consider whether the conditions
under section 55A ... are met.
Seriousness of the contravention
49. The Commissioner is satisfied that the contravention identified
above was serious. This is because, between 24 March 2021 and 7
13
September 2021, a confirmed total of 415,041 direct marketing
messages were sent by Digivo and received by individual subscribers.
These messages contained direct marketing material for which
individual subscribers had not provided valid consent. Furthermore, the
Commissioner is satisfied that Digivo cannot rely on the soft opt-in
exemption.
50. Additionally, the Commissioner considers the contravention “serious”
because in Digivo’s response to the investigation letter, a copy of the
current ........ was provided, which contained 22,214 separate
records. Digivo stated that they sent marketing on a weekly basis to
those who had “consented”, which is likely to mean every customer
who applied using the RidMyDebt website, given that they were unable
to submit an application without checking the box that Digivo relied on
as consent. This means there is the potential that 22,214 unsolicited
marketing messages were being sent each week, or 1,155,128 per
year.
51. Further, the contravention is serious due to the fact that 1,396
complaints were submitted during the contravention period, including
one to the ICO’s online reporting tool. Additionally, a further 202
complaints were submitted to the 7726 spam text reporting tool since
the end date of the contravention period and up to 18 May 2022. These
complaints appear to involve the same scripts as provided to the
Commissioner during the investigation period.
52. The Commissioner is therefore satisfied that condition (a) from
section 55A(1) ... is met.
14
Deliberate or negligent contraventions
53. The Commissioner has considered whether the contravention identified
above was deliberate. In the Commissioner’s view, this means that
actions which constituted that contravention were deliberate actions
(even if Digivo did not actually intend thereby to contravene PECR).
54. The Commissioner considers that in this case Digivo did deliberately
contravene regulation 22 of PECR. This is because:
Digivo appeared to have a connection to ,
indicated via the apparent copying of their website format.
Digivo’s probable connection with other affiliated companies
within the sub-prime market.
The volume of subsequent complaints submitted during and post
investigation period.
55. For the above reasons, the Commissioner is satisfied that this breach
was deliberate.
56. Further and in the alternative, the Commissioner has gone on to
consider whether the contravention identified above was negligent.
This consideration comprises two elements:
57. Firstly, he has considered whether Digivo knew or ought reasonably to
have known that there was a risk that these contraventions would
occur. He is satisfied that this condition is met on the basis that the
organisation and director should have been aware of their
responsibilities to comply with the relevant legislation.
15
58. The Commissioner has published detailed guidance for those carrying
out direct marketing explaining their legal obligations under PECR.
This guidance gives clear advice regarding the requirements of .......
for direct marketing and explains the circumstances under which
organisations are able to carry out marketing over the phone, by text,
by email, by post, or by fax. In particular it states that organisations
can generally only send, or instigate, marketing messages to
individuals if that person has specifically consented to receiving them.
The guidance also provides a full explanation of the soft opt-in
exemption. The Commissioner has also published detailed guidance on
consent under the GDPR. In case organisations remain unclear on their
obligations, the ... ........ . ......... ......... ...
communications about previous enforcement action where businesses
have not complied with .... are also readily available.
59. It is therefore reasonable to suppose that Digivo should have been
aware of their responsibilities in this area.
60. Secondly, the Commissioner has gone on to consider whether Digivo
failed to take reasonable steps to prevent the contraventions. Again, he
is satisfied that this condition is met.
61. The ... produces clear guidance via its website on the rules of direct
marketing. In addition, the ... operates a helpline should
organisations require further clarification or assistance with specific
enquiries. Should Digivo have any questions regarding their direct
marketing techniques, it would have been reasonable to consult these
resources.
62. Further, it is clear that, at the point of being notified of the
Commissioner's investigation, Digivo were aware of risks. The
16
subsequent volume of complaints following this point in time illustrates
the organisation failed to take reasonable steps to avoid further
contraventions.
63. In the circumstances, the Commissioner is satisfied that Digivo failed to
take reasonable steps to prevent the contraventions.
64. The Commissioner is therefore satisfied that condition (b) from section
55A (1) ... is met.
The Commissioner’s decision to issue a monetary penalty
65. The Commissioner has taken into account the following
aggravating feature of this case:
Of the individuals involved, there will have likely been a
proportion of subscribers in receipt of marketing texts who are
financially vulnerable. The Panel are min dful that some debt
management options are not always in the best interests of those
suffering financial hardship.
66. The Commissioner found no mitigating factors.
67. For the reasons explained above, the Commissioner is satisfied that the
conditions from section 55A (1) ... have been met in this case. He is
also satisfied that the procedural rights under section 55B have been
complied with.
68. The latter has included the issuing of a Notice of Intent, dated 25 May
2023, in which the Commissioner set out his preliminary thinking. In
reaching his final view, the Commissioner has taken into account the
representations made by Digivo on this matter.
17
69. The Commissioner is accordingly entitled to issue a monetary penalty
in this case.
70. The Commissioner has considered whether, in the circumstances, he
should exercise his discretion so as to issue a monetary penalty.
71. The Commissioner has considered the likely impact of a monetary
penalty on Digivo. In doing so, the Commissioner has given careful
consideration to the representations made by Digivo in response to the
Notice of Intent. However, the Commissioner has decided that a
penalty nevertheless remains the appropriate course of action in the
circumstances of this case.
72. The Commissioner’s underlying objective in imposing a monetary
penalty notice is to promote compliance with PECR. The sending of
unsolicited direct marketing messages is a matter of significant public
concern. A monetary penalty in this case should act as a general
encouragement towards compliance with the law, or at least as a
deterrent against non-compliance, on the part of all persons running
businesses currently engaging in these practices. The issuing of a
monetary penalty will reinforce the need for businesses to ensure that
they are only messaging those who specifically ....... to receive
direct marketing.
73. In making his decision, the Commissioner has also had regard to the
factors set out in s108(2)(b) of the Deregulation Act 2015; including:
the nature and level of risks associated with non-compliance, including
the risks to economic growth; the steps taken by the business to
achieve compliance and reasons for its failure; the willingness and
ability of the business to address non-compliance; the likely impact of
the proposed intervention on the business, and the likely impact of the
18
proposed intervention on the wider business community, both in terms
of deterring non-compliance and economic benefits to legitimate
businesses.
74. For these reasons, the Commissioner has decided to issue a monetary
penalty in this case.
The amount of the penalty
75. Taking into account all of the above, the Commissioner has decided
that a penalty in the sum of £50,000 (fifty thousand pounds) is
reasonable and proportionate given the particular facts of the case and
the underlying objective in imposing the penalty.
Conclusion
76. The monetary penalty must be paid to the Commissioner’s office by
BACS transfer or cheque by 2 November 2023 at the latest. The
monetary penalty is not kept by the Commissioner but will be paid into
the Consolidated Fund which is the Government’s general bank account
at the Bank of England.
77. If the Commissioner receives full payment of the monetary penalty by
1 November 2023 the Commissioner will reduce the monetary
penalty by 20% to £40,000 (forty thousand pounds) . However, you
should be aware that the early payment discount is not available if you
decide to exercise your right of appeal.
78. There is a right of appeal to the First-tier Tribunal (Information Rights)
against:
(a) the imposition of the monetary penalty
19
and/or;
(b) the amount of the penalty specified in the monetary penalty
notice.
79. Any notice of appeal should be received by the Tribunal within 28 days
of the date of this monetary penalty notice.
80. Information about appeals is set out in Annex 1.
81. The Commissioner will not take action to enforce a monetary penalty
unless:
the period specified within the notice within which a monetary
penalty must be paid has expired and all or any of the monetary
penalty has not been paid;
all relevant appeals against the monetary penalty notice and any
variation of it have either been decided or withdrawn; and
the period for appealing against the monetary penalty and any
variation of it has expired.
82. In England, Wales and Northern Ireland, the monetary penalty is
recoverable by Order of the County Court or the High Court. In
Scotland, the monetary penalty can be enforced in the same manner as
an extract registered decree arbitral bearing a warrant for execution
issued by the sheriff court of any sheriffdom in Scotland.
20
Dated the 3 rd
day of October 2023
Andy Curry
Head of Investigations
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
21
ANNEX 1
SECTION 55 A-E OF THE DATA PROTECTION ACT 1998
RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER
1. Section 55B(5) of the Data Protection Act 1998 gives any person
upon whom a monetary penalty notice has been served a right of
appeal to the First-tier Tribunal (Information Rights) (the ‘Tribunal’)
against the notice.
2. If you decide to appeal and if the Tribunal considers:-
a) that the notice against which the appeal is brought is not in
accordance with the law; or
b) to the extent that the notice involved an exercise of
discretion by the Commissioner, that he ought to have exercised
his discretion differently,
the Tribunal will allow the appeal or substitute such other decision as
could have been made by the Commissioner. In any other case the
Tribunal will dismiss the appeal.
3. You may bring an appeal by serving a notice of appeal on the
Tribunal at the following address:
General Regulatory Chamber
HM Courts & Tribunals Service
PO Box 9300
Leicester
LE1 8DJ
22
Telephone: 0203 936 8963
Email: grc@justice.gov.uk
a) The notice of appeal should be sent so it is received by the
Tribunal within 28 days of the date of the notice.
b) If your notice of appeal is late the Tribunal will not admit it
unless the Tribunal has extended the time for complying with this
rule.
4. The notice of appeal should state:-
a) your name and address/name and address of your
representative (if any);
b) an address where documents may be sent or delivered to
you;
c) the name and address of the Information Commissioner;
d) details of the decision to which the proceedings relate;
e) the result that you are seeking;
f) the grounds on which you rely;
g) you must provide with the notice of appeal a copy of the
monetary penalty notice or variation notice;
h) if you have exceeded the time limit mentioned above the
notice of appeal must include a request for an extension of time
23
and the reason why the notice of appeal was not provided in
time.
5. Before deciding whether or not to appeal you may wish to consult
your solicitor or another adviser. At the hearing of an appeal a party
may conduct his case himself or may be represented by any person
whom he may appoint for that purpose.
6. The statutory provisions concerning appeals to the First-tier
Tribunal (Information Rights) are contained in section 55B(5) of, and
Schedule 6 to, the Data Protection Act 1998, and Tribunal Procedure
(First-tier Tribunal) (General Regulatory Chamber) Rules 2009
(Statutory Instrument 2009 No. 1976 (L.20)).
Link: https://ico.org.uk/media/action-weve-taken/mpns/40
Testo del 2023-11-02 Fonte: org.uk
Demo Altre chiavi solo per gli iscritti
Commenta
i commenti sono anonimi e inviati via mail e cancellati dopo aver migliorato la voce alla quale si riferiscono: non sono archiviati; comunque non lasciare dati particolari. Si applica la privacy policy.